Agent Integrations Require Tenant Isolation
Ayan Barua, CEO of Ampersand, on infra for AI agent integrations
The real bottleneck in agent integrations is not getting a tool call to work, it is stopping that tool call from doing the wrong thing in the wrong customer account. MCP gives agents a common way to talk to systems, but it does not separate tenants, manage auth refresh, track data lineage, enforce consent, or recover from failures. That missing layer is where integration infrastructure becomes a security and governance product, not just a connectivity product.
-
In practice, the hard problem is multi tenant isolation. An agent working across 100 Salesforce instances cannot let one customer's schema, records, or write actions leak into another customer's environment. That requires tenancy management, field mapping, and access controls outside the MCP protocol itself.
-
This is why orchestration vendors are positioning above MCP, not against it. Ampersand frames the missing pieces as auth, privacy, governance, rate limiting, retries, and error handling. Zapier makes a similar point, emphasizing built in access controls and app level permissions as the trust layer around agent actions.
-
A second market is forming alongside integration middleware, focused on agent governance. Promptfoo describes MCP proxying as a control layer that can whitelist tools, log interactions, and flag policy violations. That points to a stack where protocol, orchestration, and security each become separate products.
As MCP spreads, value will move up from basic protocol support toward systems that can prove safe execution across tenants and tools. The winners will be the platforms that make agents reliable in production, with clean isolation, auditable permissions, and governed read and write paths across the messy reality of enterprise SaaS.